62 lines
2.1 KiB
Markdown
62 lines
2.1 KiB
Markdown
|
# Runelab CA
|
||
|
|
||
|
A certificate authority for the HomeLab.
|
||
|
|
||
|
The setup was mostly done by following these two guides:
|
||
|
* [Jamie Nguyen's OpenSSL CA guide](https://jamielinux.com/docs/openssl-certificate-authority/introduction.html)
|
||
|
* [Mour's](https://github.com/mylamour) [blog post Jamie's guide using an HSM](https://github.com/mylamour/blog/issues/80)
|
||
|
|
||
|
## Notes of precaution
|
||
|
|
||
|
* The root key is a yubikey kept in a physical vault at a bank in Switzerland.
|
||
|
* All signings are done on an airgapped machine in a live-boot environment.
|
||
|
* This repo is transferred on and off the signing machine with a regular usb drive.
|
||
|
|
||
|
## Setup
|
||
|
|
||
|
### Required Software
|
||
|
|
||
|
* OpenSSL
|
||
|
* [YKCS11](https://developers.yubico.com/yubico-piv-tool/YKCS11/)
|
||
|
* [AUR Link](https://aur.archlinux.org/packages/ykcs11-p11-kit-module)
|
||
|
|
||
|
### Generating the Root
|
||
|
|
||
|
```sh
|
||
|
# Creating directory structure
|
||
|
mkdir {certs,crl,csr,newcerts,conf}
|
||
|
# Creating required files
|
||
|
touch database.txt
|
||
|
echo 1000 > serial
|
||
|
echo 1000 > crlnumber
|
||
|
# OpenSSL CA config file
|
||
|
vim config/ca.conf
|
||
|
# Setting up PKCS11
|
||
|
export PKCS11_MODULE_PATH="/usr/lib/libykcs11.so"
|
||
|
export MODULE_PATH="/usr/lib/libykcs11.so"
|
||
|
# Generating the root
|
||
|
openssl req -new -x509 -days 8000 -sha256 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:object=Private key for PIV Authentication" -out certs/root.ca.cert.pem
|
||
|
```
|
||
|
|
||
|
### Issuing Intermediaries
|
||
|
|
||
|
```sh
|
||
|
# Sign the Intermediary
|
||
|
openssl ca -config config/ca.conf -engine pkcs11 -keyform engine -keyfile "pkcs11:object=Private key for PIV Authentication" -extensions v3_intermediate_ca -days 1095 -notext -md sha256 -in csr/foobar.int.csr -out certs/foobar.int.cert.pem
|
||
|
# Add the CA to create a chain
|
||
|
echo certs/root.ca.cert.pem >> certs/foobar.int.cert.pem
|
||
|
```
|
||
|
|
||
|
### Certificate Revocation List
|
||
|
|
||
|
Distribution point configured in under `server_cert` > `crlDistributionPoints`
|
||
|
|
||
|
This must be reissued every 180 days
|
||
|
|
||
|
```sh
|
||
|
# Revoke the certificate
|
||
|
openssl ca -config config/ca.conf -revoke certs/foobar.int.cert.pem
|
||
|
# Create the CRL file
|
||
|
openssl ca -config config/ca.conf -gencrl -out crl/ca.crl.pem -engine pkcs11 -keyform engine -keyfile "pkcs11:object=Private key for PIV Authentication"
|
||
|
```
|